Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Problem/Motivation
simple_oauth comes with a "Grant OAuth2 Codes" permission that restricts which users can complete the Authorization Code grant, which is the grant commonly used for integrating with 3rd party clients. By default there is no restriction on other grant types such as Password Credentials, though, so any User can use the Password Credentials grant on any client.
As we've diagnosed in https://www.drupal.org/project/farm/issues/3167752, there is an issue where an OAuth Client might need more permissions than the Users that authorize the client. Thus, there is a need for granular permissions that enable users to authorize individual OAuth Clients (Consumers) with any grant type (I don't think we need separate permissions for each grant type).
Not only would this solve the "set of permissions for granting certain permissions" issue, it would also allow general configuration of which users interact with 1st & 3rd party clients. For example, only users with "authorize farm_client consumers" would be able to use farmOS Field Kit.
Comments
Comment #2
m.stentaComment #3
m.stenta@paul121 I'd like to think through whether or not this needs to remain a "stable blocker" - or if we can remove that tag ahead of a 2.0.0 release. I think whatever we do here can happen after that, right? Are there any considerations we should think through/document?
Comment #4
paul121 CreditAttribution: paul121 commented@m.stenta correct - I think whatever we do here can happen after 2.0.0. This is blocking the authorization code grant on the aggregator right now but that isn't a big deal at the moment.
Comment #5
m.stentaGreat thanks for the confirmation @paul121! Removing the "stable blocker" tag...
Comment #6
m.stentaBumping this to 3.x - but it may need to be updated/closed if the Simple OAuth v6 upgrade affects it.